b'Audit Report\n\n\n\n\nOIG-09-027\nManagement Letter for Fiscal Year 2008 Audit of the\nOffice of the Comptroller of the Currency\xe2\x80\x99s Financial Statements\n\n\n\nJanuary 8, 2009\n\n\n\n\n Office of\n Inspector General\n Department of the Treasury\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                             January 8, 2009\n\n\n\n            MEMORANDUM FOR JOHN C. DUGAN\n                           COMPTROLLER OF THE CURRENCY\n\n            FROM:                 Michael Fitzgerald /s/\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for Fiscal Year 2008 Audit of the Office\n                                  of the Comptroller of the Currency\xe2\x80\x99s Financial Statements\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of the Comptroller of the Currency\xe2\x80\x99s (OCC) Fiscal Year 2008\n            financial statements. Under a contract monitored by the Office of Inspector\n            General, GKA, P.C. (GKA), an independent certified public accounting firm,\n            performed an audit of the financial statements of OCC as of September 30, 2008\n            and for the year then ended. The contract required that the audit be performed in\n            accordance with generally accepted government auditing standards; applicable\n            provisions of Office of Management and Budget Bulletin No. 07-04, Audit\n            Requirements for Federal Financial Statements; and the GAO/PCIE Financial Audit\n            Manual.\n\n            As part of its audit, GKA issued and is responsible for the accompanying\n            management letter that discusses matters involving internal control over financial\n            reporting and its operation that were identified during the audit, but were not\n            required to be included in the audit reports.\n\n            In connection with the contract, we reviewed GKA\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where GKA did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Ade Bankole, Manager, Financial Audits at\n            (202) 927-5329.\n\n            Attachment\n\x0c                 gka, P.C.                                       Certified Public Accountants | Management Consultants\n\n\n\n\n                 OFFICE OF THE COMPTROLLER OF THE CURRENCY\n                             MANAGEMENT LETTER\n                                FISCAL YEAR 2008\n\n\n                                             October 31, 2008\n\n\n\n\n                                                         Member of the American Institute of Certified Public Accountants\n\n1015 18th Street, NW \xc2\xb7 Suite 200 \xc2\xb7 Washington, DC 20036 \xc2\xb7 Phone: 202-857-1777 \xc2\xb7 Fax: 202-857-1778 \xc2\xb7 WWW.gkacpa.com\n\x0cgka, P.C.                                                     Certified Public Accountants | Management Consultants\n\n\n\n1015 18th Street, NW\n      Suite 200           Inspector General, Department of the Treasury, and\n  Washington, DC          the Comptroller of the Currency:\n        20036\n                          We have audited the balance sheet as of September 30, 2008 and the related\n  Phone: 202-857-1777     statements of net cost, changes in net position, and budgetary resources for the\n   Fax: 202-857-1778\nWebsite: www.gkacpa.com   year then ended, hereinafter referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d, of the Office\n                          of the Comptroller of the Currency (OCC) and have issued an unqualified\n                          opinion thereon dated October 31, 2008. In planning and performing our audit\n                          of the financial statements of the OCC, we considered its internal control over\n                          financial reporting in order to determine our auditing procedures for the\n                          purpose of expressing our opinion on the financial statements and not to\n                          provide assurance on internal control. We have not considered the internal\n                          control since the date of our report.\n\n                          During our audit we noted certain matters involving OCC\xe2\x80\x99s information\n                          technology general controls that are presented in this letter for your\n                          consideration. The comments and recommendations, all of which have been\n                          discussed with the appropriate members of OCC management, are intended to\n                          improve OCC\xe2\x80\x99s information technology general controls or result in other\n                          operating efficiencies.\n\n                          OCC management\xe2\x80\x99s responses to our comments and recommendations have\n                          not been subjected to the auditing procedures applied in the audit of the\n                          financial statements and, accordingly, we do not express an opinion or provide\n                          any form of assurance on the appropriateness of the responses or the\n                          effectiveness of any corrective action described therein.\n\n                          We appreciate the cooperation and courtesies extended to us during the audit.\n                          We will be pleased to meet with you or your staff, at your convenience, to\n                          discuss our report or furnish any additional information you may require.\n\n\n\n\n                          October 31, 2008\n\n\n\n\n                                                               Member of the American Institute of Certified Public Accountants\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2008\n\nImprovements Needed in Information Technology General Controls over OCC\xe2\x80\x99s Financial\nSystems (Prior Year Significant Deficiency).\n\nIn our fiscal year (FY) 2007 audit, we identified weaknesses in the areas of entity-wide security\nprogram planning and management, access controls, service continuity, and application software\ndevelopment and change controls. We reported these weaknesses to management in our report\non internal control over financial reporting. In FY 2008, OCC made significant progress in\nresolving these weaknesses, as evidenced in OCC\xe2\x80\x99s Plan of Actions and Milestones (POA&M)\nand our verification of correction of many of the prior year issues. Only two (2) out of 15 issues\nidentified in FY 2007 remain open or are partially resolved. We noted five (5) new areas for\nimprovement in FY 2008. The weaknesses noted in OCC\xe2\x80\x99s IT general controls are noted and\ndiscussed below.\n\n(A) Entity-Wide Security Program Planning and Management\n\nEntity-wide security program planning and management provides a framework and continuing\ncycle of activity for managing risk, developing security policies, assigning responsibilities, and\nmonitoring the adequacy of the entity\xe2\x80\x99s computer-related controls.\n\nIn the FY 2008 audit, we noted that OCC strengthened its controls over requiring new\ncontractors to complete and sign all access agreements before given access to OCC information\nsystems; the administration of the security awareness training; recordkeeping of users\xe2\x80\x99 access\nagreements; completion of exit process for terminated employees; and testing and updating its\nComputer Incident Response Capability; as we recommended in our FY 2007 audit report. None\nof the findings noted in FY 2007 related to the entity-wide security program planning and\nmanagement were repeated in FY 2008. However, we noted a new finding in this area which is\ndetailed below together with our recommendation, and management\xe2\x80\x99s response.\n\n1. OCC did not ensure that background investigations had been perfomed prior to\n   allowing employees access to sensitive information.\n\nTwo (2) out of the ten (10) new hires selected for testing did not have completed background\ninvestigations. According to OCC management, the two individuals are temporary interns that\ndid not work for more than 180 days and therefore do not require background investigations.\nHowever, OCC Information Security Program: Policies Standards and Required Controls, states\n"The OCC limits access to its information and information resources strictly to those individuals\nwho have demonstrated very high levels of professional competence and personal conduct. It\nscreens its workforce members to ensure they are qualified to accept their information security\nresponsibilities and to perform reliably in positions of public trust...The OCC requires the\ncompletion of suitable background investigations and signed acknowledgements of information\nsecurity responsibility prior to allowing its employees and contractors access to its sensitive\ninformation and supporting technology."\nThe lack of adequate background investigations increases the risk that unqualified or\n\n\n                                                2\n\x0c                        Office of the Comptroller of the Currency\n                    Management Letter Comments and Recommendations\n                             Year Ended September 30, 2008\n\nuntrustworthy individuals may have access to OCC data and systems. This puts OCC data at risk\nof inadvertent or deliberate misuse, modification, destruction, or disclosure of sensitive\ninformation.\n\nRecommendation:\nWe recommend that OCC management institute a process to screen temporary interns based on\nthe risk designation of their position and complete a background investigation, if necessary.\n\nManagement\xe2\x80\x99s Response:\nThe Critical Infrastructure Protection and Security Office of the OCC concurs that two (2) of the\nnew hires tested did not have background information due to the fact that they were temporary\nstudent interns assigned to low risk, non-sensitive, non-Public Trust positions that did not require\na suitability investigation or a Homeland Security Presidential Directive (HSPD) -12\ninvestigation under current regulations.\n\nTo address the perceived risk and remediate this finding the OCC will change the procedures for\nstudent interns requiring a minimal background investigation be completed by OPM in the form\nof a Special Agreement Check for all interns. This new procedure will be completed by\nNovember 1, 2008 due to necessary consultation with Human Resources and District Offices.\n\n(B) Access Controls\n\nAccess controls limit and/or detect access to computer resources (data, programs, equipment and\nfacilities), thereby protecting these resources against unauthorized modification, loss and\ndisclosure.\n\nWe noted that OCC has implemented our FY 2007 audit recommendations pertaining to\nstrengthening access controls pertaining to the password configuration setting for C-Cure System\nand revoking unnecessary access accounts. However, we noted that one FY 2007 audit finding\npertaining to recordkeeping of management approval and recertification for access to SQL server\ndatabase has not been addressed. This is included in finding No. 2 below. In addition, we noted\ntwo new findings in this area. Our findings and recommendations, and management\xe2\x80\x99s responses\nare detailed below.\n\n2. OCC should document and maintain approved authorization and recertification forms\n   for access to SQL Server database related to the Financial Management applications\n   (Repeat Finding).\n\nOCC was unable to provide evidence of management authorization and recertification of access\nto SQL Server database for $MART for six (6) out of 10 users selected for testing. Although,\nOCC Information Security Program: Policies Standards and Required Controls, states "The\nOCC manages information system account, including establishing, activating, modifying,\nreviewing and disabling accounts. It reviews user information system accounts at least annually\n\n\n\n                                                 3\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2008\n\nand privileged accounts at least semi-annually\xe2\x80\xa6Only OCC-authorized users are allowed to\naccess sensitive information and OCC information resources\xe2\x80\xa6System access controls shall deny\naccess by default, and grant access only as authorized by appropriate authority\xe2\x80\xa6OCC limits\nsystem privileges to that functionality for which a user has a demonstrated need in the course of\nperforming his or her work. This access allocation practice is called least privilege\xe2\x80\xa6The OCC\nrequires access control lists to be reviewed monthly to reconfirm the need for continued access at\nthe assigned access level for each user. It shall have access termination processes that ensure\naccess is removed promptly when an authorized user is terminated, transferred or otherwise no\nlonger requires access."\n\nWithout the strict requirement for management authorization, users may have unauthorized\naccess rights to the SQL Server database that supports $MART, thus putting OCC systems at\nincreased risk for inappropriate modification or disclosure of data.\n\nRecommendations:\nWe recommend that OCC management: (1) document and maintain on file approved database\nauthorization forms for individuals with access to the SQL Server database supporting $MART,\nand (2) dedicate resources to complete its on-going efforts to recertify roles and privileges of\nusers with SQL database access.\n\nManagement\xe2\x80\x99s Response:\nManagement concurs with the finding. OCC will enhance its current process of managing\nrequests for access, and recertification of access to the SQL Server database supporting $MART.\nThe existing process will be evolved to use Remedy as its repository for the management of all\n$MART access requests. The $MART system administrator will work with the Database\nAdministrator (DBA) team to create and periodically review a report of all users (general and\nsystem administrators) who have SQL Server accounts with roles that offer access to query\n$MART tables, views, and reports as part of a standard recertification process. The DBA team\nwill update its standard processes to ensure steps associated with granting access to $MART\nSQL Server tables are clearly articulated, and all such actions are documented in Remedy. All\nremediation work will be completed by February 2009.\n\n3. Database access permissions are not always granted in accordance with the principle of\n   least privilege.\n\nDatabase access permissions are not always granted in accordance with the principle of least\nprivilege.    Specifically, the BUILTIN\\Administrators group, which is the Windows\nAdministrators group, is added to the SQL Server System Administrator role. Therefore\nWindows Administrators have full control over the SQL database of $MART, which is a major\napplication with a security categorization of Moderate. However, Windows Administrators are\nnot required to manage databases and, therefore, should be removed from this role. Per OCC\xe2\x80\x99s\nmanagement, when the $MART SQL database was initially setup, the BUILTIN\\Administrators\ngroup was automatically added to the SQL Server System Administrator role by default.\n\n\n\n                                                4\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2008\n\nHowever, OCC did not remove database administrator privileges from the\nBUILTIN\\Administrators group because it is used to run the SQL Services and could cause\npotential issues with recovering the database in disaster situations. Nonetheless, OCC\nInformation Security Program, Policies Standards and Required Controls, states \xe2\x80\x9cInformation\nsystems having a security categorization of MODERATE or HIGH shall enforce the most\nrestrictive set of rights/privileges or access needed by users, or processes acting on behalf of\nusers, for the performance of specified tasks.\xe2\x80\x9d\n\nGranting full control of database objects to Windows Administrators increases the risk that non-\nprivileged users can take full control of the $MART SQL database. This puts OCC systems and\ndata at risk of inadvertent or deliberate modification, destruction and disclosure.\n\nRecommendation:\nWe recommend that OCC management create a separate account to run the SQL Server Services\nprior to removing the BUILTIN\\Administrators group from the SQL Server System\nAdministrator role or establish alternate mechanisms to restrict Windows Administrators from\nobtaining full control over the $MART database.\n\nManagement\xe2\x80\x99s Response:\nManagement concurs with the finding. OCC has contacted Microsoft concerning the removal of\nthe BUILTIN\\Administrators group from the SQL Server Administration role. Microsoft has\nresponded by providing instructions for safely removing the account.\n\nThe OCC will remove the BUILTIN\\Administrators group from the SQL Server Administration\nrole before December 31, 2008.\n\n4. OCC does not currently monitor and review actions performed by database\n   administrators within the $MART database.\n\nOCC does not currently monitor and review actions performed by database administrators within\nthe $MART database. The lack of active monitoring of OCC database administrators increases\nthe risk of unauthorized modification, destruction , or disclosure of $MART data stored within\nthe database.\n\nOCC has procured and is currently in the process of implementing a COTS tool called Guardium\nwhich will enable OCC to log and review database administrator activities. The OCC\nInformation Security Program, Policies Standards and Required Controls, states \xe2\x80\x9cOCC ensures\nthat its information systems produce audit logs that record user and processing activity related to\nsystem security, and that these logs are regularly reviewed.\xe2\x80\x9d\n\nRecommendation:\nWe recommend that OCC management complete the implementation of the Guardium tool and\nimplement a process to periodically review database administrator actions.\n\n\n\n                                                5\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2008\n\n\nManagement\xe2\x80\x99s Response:\nOCC Management concurs with the finding. OCC has procured the Guardium Security Suite\n7.0 product. This tool will allow the OCC to actively monitor the actions of privileged users\nsuch as Database Administrators. The product will also allow for automatic alerts when\nprivileged users (such as Database Administrators) access or attempt to access data they should\nnot access. The tool will be installed by end of October, 2008. The capability to monitor\ndatabase administrator actions, send alerts on unauthorized actions, and retain logs on actions\ninvolving data OCC has classified as sensitive for a minimum of 1 year, will be in place by\nFebruary 28, 2009. At that point the OCC Computer Center Incident Response will add\nGuardium logs to the standard operating procedures for monitoring, review and reporting of logs.\nThe Incident Response team reviews unusual activity throughout the day.\n\n(C) Service Continuity\n\nService continuity controls ensure that when unexpected events occur, critical operations\ncontinue without interruption or are promptly resumed and critical and sensitive data are\nprotected.\nDuring our audit, we noted that OCC has implemented our FY 2007 recommendations to\nstrengthen its service continuity controls pertaining to the performance of a cost-benefit analysis\nto support its selection of an off-site storage facility close to the Data Center; maintenance of\nconsistency between Contingency Planning documents; finalizing the Information Technology\nRecovery Plan; development of a formal emergency response training program for Data Center\npersonnel; and mitigation of risk associated with overheating due to the absence of an air\nconditioner in the Data Center telecommunication room. None of the findings noted in FY 2007\nwere repeated in FY 2008. However, we noted two (2) new findings in this area which are\ndetailed below together with our recommendations, and management\xe2\x80\x99s response.\n\n5. Lessons Learned from the disaster recovery testing have not been incorporated in the\n   Disaster Recovery Plan.\n\nThe $MART Disaster Recovery Plan (DRP) was tested in February 2008. However, weaknesses\nidentified during the disaster recovery testing have not been incorporated into the DRP. OCC\nInformation Security Program, Policies Standards and Required Controls, states \xe2\x80\x9cThe OCC\nreviews its contingency plans at least annually, and revises its plans to address\nsystem/organizational changes or problems encountered during plan implementation, execution,\nor testing.\xe2\x80\x9d\nOCC may not be able to fully recover and restore $MART systems and data in a disaster\nsituation without an updated contingency plan.\n\nRecommendation:\nWe recommend that OCC management institute a process to update the $MART DRP to address\n\n\n\n                                                6\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2008\n\nweaknesses identified during disaster recovery testing.\n\nManagement Response:\nManagement concurs with the finding.\n\nThe template for the Disaster Recovery (DR) Post Exercise document will be revised to\nexplicitly indicate that follow-through is required on lessons learned. Specifically, the lessons\nlearned section of the document will be updated to specify that the lessons learned must be\nincorporated in the $MART Contingency Plan. Further, the format of this section will be\nupdated to include owner and delivery date columns for each conclusion. This delineation of\nresponsibility for each conclusion will allow for a more efficient process to track the status and\nclose-out of each item.\n\nThe cross-functional team that participated in the $MART DR testing will reconvene to address\nthe specific lessons learned from this exercise. Updates will be tracked and documented until\nconclusion. A memo will be drafted upon close-out and submitted to the Chief Information\nOfficer detailing each remediation accompanied by appropriate artifacts.\n\nAll remediation work will be completed by February 2009.\n\n6. The OCC network failover capacity has not been fully tested.\n\nThe OCC network failover capacity has not been fully tested to ensure that network operations\ncan be restored at an alternate site in disaster situations. According to OCC management, funding\nissues and the potential risk impacting OCC business functions have prevented full testing of the\nfailover capability. However, OCC Information Security Program, Policies Standards and\nRequired Controls, states \xe2\x80\x9cThe OCC tests at least annually the contingency plans for its\ninformation systems having security categorizations of MODERATE or HIGH to determine the\nplans\xe2\x80\x99 effectiveness and its organizational readiness... For its information systems with\nMODERATE and HIGH security categorizations, the OCC identifies an alternate processing site\nand initiates necessary agreements to permit the resumption of information system operations for\ncritical mission/business functions when the primary processing capabilities are unavailable. The\nOCC ensures that the timeframes for resumption of information systems operations are\nconsistent with its recovery time objectives.\xe2\x80\x9d\nIf OCC failover capability is not fully tested, OCC may not be able to restore its financial\nmanagement systems (including $MART) in a disaster situation.\n\nRecommendation:\nWe recommend that OCC management institute a process to fully test the network failover\ncapability.\n\nManagement Response:\nOCC Management Concurs - As noted in the findings, all non-disruptive elements of the\n\n\n                                                7\n\x0c                        Office of the Comptroller of the Currency\n                    Management Letter Comments and Recommendations\n                             Year Ended September 30, 2008\n\n$MART DRP have been tested. OCC will complete a risk-based cost-benefit analysis associated\nwith conducting a full failover test of the components of the OCC network associated with\n$MART. The results of the risk assessment will be presented to the OCC Executive Committee\nby April 2009.\n\n(D) Application Software Development and Change Control\n\nApplication Software Development and Change Control prevents unauthorized programs or\nmodifications to an existing program from being implemented. During our audit, we identified\none finding in this area that is being repeated for FY 2008. Our finding, related recommendation,\nand management\xe2\x80\x99s response are detailed below.\n\n7. OCC has not fully implemented the necessary capabilities to automatically and\n   promptly detect and remove unauthorized personal and public domain software from\n   OCC systems (workstations) (Repeat Finding).\n\nOCC users have local administrator privileges on their individual workstations and can install\nsoftware at will. Additionally, even though OCC has implemented the Microsoft System\nManagement Server (SMS) system, OCC has not fully implemented a process to detect and\nremove unauthorized software. The implementation of SMS,which provides patch management,\nsoftware distribution, and hardware and software inventory capabilities for OCC systems; is in\nthe piloting phase of the process to detect and remove unauthorized software from OCC systems.\nHowever, National Institute of Standards and Technology Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems, User Installed Software states\n\xe2\x80\x9cIf provided the necessary privileges, users have the ability to download and install software.\nThe organization identifies what types of software downloads and installations are permitted\n(e.g., updates and security patches to existing software) and what types of downloads and\ninstallations are prohibited (e.g., software that is free only for personal, not government, use).\nThe organization also restricts the use of install-on-demand software.\xe2\x80\x9d Further, OCC Information\nSecurity Program, Policies Standards and Required Controls, states: \xe2\x80\x9cThe OCC identifies which\ntypes of software downloads and installations shall be (1) Permitted (e.g., updates and security\npatches to existing software); or (2) Prohibited (e.g., software that is free only for personal, not\ngovernment use, and software whose pedigree with regard to being potentially malicious is\nunknown or suspect); and (3) Enforces this accordingly.\xe2\x80\x9d\nThe lack of active monitoring of OCC systems for the use of unauthorized software could result\nin the introduction of unapproved software in OCC\xe2\x80\x99s networking environment, which could\nnegatively impact processing operations, introduce harmful viruses, and/or cause the loss of data.\n\nRecommendation:\nWe recommend that OCC management continue to dedicate resources to fully implement the\nnecessary SMS process automatically and promptly detect and remove unauthorized personal\nand public domain software from OCC systems (workstations) and implement controls to restrict\nusers from downloading and installing unapproved software.\n\n\n                                                 8\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2008\n\n\nManagement\xe2\x80\x99s Responses:\nManagement concurs with the finding.\n\n(1) The OCC will formalize its management controls over the prohibition of installing software\nthat has not been officially approved, supported, and controlled by the OCC. These management\ncontrols consist of policy (PPM 4000-3), procedures, and annual security awareness training that\nare made available to all OCC computer users.\n\n(2) Operational controls are also being used to provide additional safeguards. OCC\xe2\x80\x99s\nInformation Technology Services (ITS) department has established a full accounting of all\nsoftware currently found on its workstations and laptops. This inventory is cross referenced\nagainst the OCC standard operating system build, application suites, and non-standard but OCC\nsanctioned third party software. In February 2008, ITS began a pilot of this process with two\nBusiness Units. The pilot will continue through December of 2008, after which the remaining\nBusiness Units will be scheduled to implement and follow the process. This process will remain\nin place until OCC completes its full implementation of the Federal Desktop Core Configuration\n(FDCC) by December 2009.\n\n(3) Technical controls are also being utilized to establish a secure operating system image that\ncomplies with the FDCC settings. Given the significant impact that the FDCC will have on\nOCC\'s mission capabilities, OCC is implementing FDCC in a phased manner with low impact,\nlow risk settings being deployed by January 2009; moderate impact, moderate risk settings being\ndeployed by June 2009; and high impact, high risk settings (which includes revocation of\nadministrative privileges from general uses) scheduled for December 2009. Lastly, given the\nage, complexity, and impact to OCC\'s core mission support systems, not all high impact, high\nrisk settings may be implemented. Final disposition of this finding will not be fully enacted until\nOCC completes its impact analysis for removal of administrative privileges on its core mission\napplications. If it is determined that administrative privileges cannot be removed, OCC will have\nto accept the risk until its core mission systems can be upgraded, reengineered, and/or retired.\n\n\n\n\n                                                9\n\x0c'